Security criteria for selecting a network switch?

Question

I am looking to purchase a switch with 24+ ports. The set of security criteria that I should bear in mind when selecting a switch is not clear to me.

I have tried to take other networking security issues into account already, and I'm only asking about the set of risks related to a network switch. I have already set up a firewall to protect my network, configured my wireless access points for secure settings, and my networking equipment is in a locked closet. In light of reports of networking equipment being remotely exploited, I'm trying to figure out what I need to consider when reviewing candidate products.

Currently, I believe the following are important criteria:

1. Timely firmware updates

If an exploit for the switch is discovered, is there a way to update the firmware? Also, will the switch manufacturer supply a firmware update in a timely manner?

2. Management

Not sure if this will be a net security plus. On the one hand, might enable security-related features such as VLANs. On the other, might just expand the attack surface over a "dumb" unmanaged switch.

3. Management / Configuration interface

Should be via SSH or TLS to allow only authorized access.

4. VLAN support

Allows network segregation (trusted vs. guest network), yet might expand the attack surface.

5. Reputation

Is this a situation where only a handful of manufacturers have a solid security track record? Or is this irrelevant?

6. Logging / SNMP

Useful for monitoring, or another attack surface not worth the trouble?

Are there other criteria that one should consider? Or refinements to the above criteria?

Answer 1

Your list is a good start, but I would like to add a few technical requirements that I find important when you are building a secure infrastructure.

1. Central authentication / Radius support. I like to integrate the authentication to a central authentication server. This eases management of administrators of the switch, and protects it from bruteforce attempts (account lockdown).

2. Port Security / IEEE 802.1X: In some locations, the ethernet plugs are exposed, and I do not want other people to connect unauthorized devices to the network.

3. Management VLAN. Support to select which VLAN the device will use for administrative services (ssh/https/snmp etc).

4. Access Control Lists / ACL. Some switches allow ACLs to be configured pr port. This is useful in strict environments where you want redundant barriers to mitigate configuration errors (misconfigured firewalls etc), or as an option if traffic do not pass a true firewall.

5. Bonding / LACP. Allow bonding network interfaces (across multiple switches). This is if you have some high-availability requirements, you want the infrastructure to be redundant.

6. MAC lockdown. A poor man's Port Security where you disable the switchport if you connect equipment with a new MAC address to a port. Nice to have if the equipment you connect to the switch do not support IEEE 802.1X.

Hope these possible requirements are helpful for you.